New Undocumented SideWalk Backdoor attacking several US-based computer retail businesses via modular attacks …

Continue reading
SideWalk, a previously undocumented backdoor, is targeting several US-based Computer retail businesses as part of a recent campaign initiated by a Chinese APT group dubbed SparklingGoblin.
ESET, a Slovakian cybersecurity firm, initially identified the APT group and discovered its connection to the Winnti umbrella group and another backdoor called Crosswalk.
Thibaut Passilly and Mathieu Tartare, researchers at ESET, published a report stating that "SideWalk is a modular backdoor that can dynamically load additional modules sent from its C&C [command-and-control] server, makes use of Google Docs as a dead drop resolver, and Cloudflare workers as a C&C server."
Reports suggest that SparklingGoblin is associated with attacks aimed at Hong Kong universities using backdoors such as Spyder and ShadowPad.

Since last year, the APT group has targeted several profound organizations and firms across the world, such as media companies, religious organizations, e-commerce platforms, computer, and electronics manufacturers.
SideWalk is an encrypted shellcode variant that is deployed through a .NET that takes care of retrieving the encrypted shellcode from disk, decrypting it, and inserting it into an authorized process using the process hollowing mechanism. After the initial phase of infection, SideWalk secures communications with the C&C server, with the malware retrieving the encrypted IP address from a Google Docs document.

The researchers from ESET stated that "The decrypted IP address is 80.85.155[.]80. That C&C server uses a self-signed certificate for the facebookint[.]com domain. This domain has been attributed to BARIUM by Microsoft, which partially overlaps with what we define as Winnti Group."
The report concluded by mentioning that "SideWalk is a relatively new backdoor abused by the SparklingGoblin APT. The links between SideWalk and Crosswalk backdoor are profound as they share similar structure and implementation details."
Polymarket's hack losses climb to $3.1M across 11 wallets as the platform faces a federal probe into deceptive marketing, even after pledging full refunds.